[ISN] REVIEW: "Security in Computing", Charles P. Pfleeger/Shari Lawrence Pfleeger

From: InfoSec News (isnat_private)
Date: Thu Mar 06 2003 - 03:02:52 PST

  • Next message: InfoSec News: "[ISN] Kellogg describes cyber battlefield"

    Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private>
    BKSCNCMP.RVW   20030209
    "Security in Computing", Charles P. Pfleeger/Shari Lawrence Pfleeger,
    2003, 0-13-035548-8, U$79.00/C$122.99
    %A   Charles P. Pfleeger
    %A   Shari Lawrence Pfleeger s.pfleegerat_private
    %C   One Lake St., Upper Saddle River, NJ   07458
    %D   2003
    %G   0-13-035548-8
    %I   Prentice Hall
    %O   U$79.00/C$122.99 +1-201-236-7139 fax: +1-201-236-7131
    %O  http://www.amazon.com/exec/obidos/ASIN/0130355488/robsladesinterne
    %O   http://www.amazon.ca/exec/obidos/ASIN/0130355488/robsladesin03-20
    %P   746 p.
    %T   "Security in Computing"
    This work is still obviously a textbook.  The attempts to target it at
    a "professional" audience are possibly more convincing than in the
    first edition, but it still reads like a text, and includes material
    that is addressed at a scholastic, rather than experienced, audience. 
    Even as a textbook it difficult to say that it succeeds.  It addresses
    a broad range of computer security related topics, although there is a
    notable shortage of material dealing with formal security models,
    access concepts, operational procedures, physical security, and
    business continuity.  The level of detail in the different areas
    varies greatly, but the shortcomings of the book could be addressed in
    the hands of a competent teacher.
    The ten chapters in the book are not divided into parts, but seem, in
    some cases, to come in chunks.  The introductory chapter is an
    overview of basic concepts involved with system security. 
    Unfortunately, not all of them are explained fully.  The idea of
    controls, for example, is a vital one, but the full ranges and types
    of controls are not outlined.  There are also some not-quite-standard
    additions to the lexicon, such as an attempt to divide threats into
    four classes: interception, interruption, modification, and
    fabrication.  It is difficult to see why fabrication is added to the
    list, or why this provides a clearer view of threats than simply
    looking to the opposites of confidentiality, integrity, and
    availability.  Cryptography starts in chapter two (and, oddly, ends in
    chapter ten).  The early coverage steps through different types of
    simple encryption algorithms, followed up by cryptanalysis of the
    same.  It strenuously avoids using any arithmetic, which makes
    discussions of key sizes and strengths a bit difficult, but throws in
    lots of symbolic logic, which seems to serve only to cloud the issue.
    Chapter three starts what might be seen as a section on secure systems
    development.  This is an important, and often neglected, topic, and is
    generally covered reasonably well.  However, the material is not
    always completely clear and rigorous.  For example, it is implied that
    Thompson, rather than Cohen, was the first to investigate viruses. 
    Leaving aside the fact that Cohen's work started a year before
    Thompson's lecture (only the date of Cohen's graduation is given),
    Thompson's thought experiment proposed only an extremely limited form
    of reproduction.  Again, when discussing covert channels, both the
    terms "timing channel" and "storage channel" are used, but all the
    examples given relate only to timing channels.  Operating system
    protections are supposed to be covered in chapter four, but the
    content is an odd amalgam of computer architecture and high level
    access control.  In regard to designing trusted operating systems,
    chapter five starts with a very poor outline of formal models (the
    test is not clear, and, again, the addition of symbolic logic fails to
    assist in the tutorial), presents a fair review of operating system
    requirements, and then spends a lot of time going over various
    evaluation criteria, without presenting much content of any use.  The
    outline of database security is disappointing: chapter six spends too
    much time on specific details, while almost ignoring major concepts
    such as aggregation.
    Chapter seven, the longest in the book, devotes excessive space to
    basic communications technologies, including two copies of the section
    on transmission methods.  Administration, in chapter eight, provides
    the usual generic advice on planning, risk, and policies. 
    Intellectual property, computer crime, and ethics are presented as
    problems with no solutions, in chapter nine.  The closing chapter
    provides a whirlwind of the mathematics related to cryptography in an
    impressive, disorganized, and basically pointless display.
    This book could definitely use a wholesale reorganization and cleanup. 
    The level and tone of the content varies tremendously from section to
    section, even within given chapters.  While most computer security
    topics appear somewhere within the work, there is very little in the
    way of logical flow or links between subjects.  Major areas seem to be
    thrown in with minor sections simply because they had to be put
    somewhere.  In terms of textbooks, I do not know that there is much to
    choose between this volume and Bishop's "Computer Security: Art and
    Science" (cf. BKCMSCAS.RVW), although Pfleeger and Pfleeger might have
    a slight edge.  Certainly Gollman's "Computer Security" (cf.
    BKCOMPSC.RVW) is superior to both.  And, depending upon the course,
    Anderson's "Security Engineering" (cf. BKSECENG.RVW) probably outranks
    them all.
    copyright Robert M. Slade, 1993, 2003   BKSCNCMP.RVW   20030209
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
    Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
              March 31, 2003           Indianapolis, IN
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Mar 06 2003 - 05:36:11 PST